As manufacturing and critical infrastructure organizations grapple with ICS cybersecurity concerns, one of the most crucial factors for improvement has nothing to do with technology. Instead, it's all about building a collaborative culture within the IT and OT stakeholders.
The more mutual respect and cooperation fostered between the two parties, the easier it will be for the collective team to build an effective ICS cybersecurity program. Lessons learned from the long history of IT cybersecurity evolution can be custom-tailored to the OT operating environment's unique considerations. Establishing the footing for this kind of relationship all starts at the discovery and assessment stage.
In a previous blog post, I already discussed how IT security people can often shoot themselves in the foot when trying to gain buy-in from their OT peers about taking action on ICS security risks. IT cybersecurity veterans frequently believe that their years of experience translates directly to the OT world without first taking the time to fully understand the core mission and exigencies unique to the ICS environment.
So, what do IT teams need to avoid these missteps and, even better, start moving the needle on OT cyber risks? The key is not only lots of listening and empathy-building exercises but also taking the time to get into the weeds and fully understand the technical underpinnings of how the organization's OT systems work. Having a comprehensive view of the unique mission, systems, threats, and impacts for that ICS environment and the various vendor or business considerations must be taken into account as the team moves forward.
Through this discovery process, the IT team has an excellent opportunity to educate the OT team on why they need more visibility into the ICS environment's risk posture and how they might help them. Conversely, the OT team can help the IT team understand and appreciate the challenges they face and create a realistic plan that works for the business stakeholders overall.
IT leaders are usually called upon to drive this process's initiation, so they need to keep in mind that early on, there should be no expectations for actions just yet. And in some cases—especially if OT engineers are skittish at first due to previous negative interactions with IT—this process may even need to start as an informal meeting of the minds over a friendly shared box of donuts.
However one chooses to begin the process, discovery should help the joint IT/OT team understand and eventually document:
ICS System Architecture
Together the IT/OT teams should work to gain a shared view of how the overall system is architected, any special configuration requirements, and why it was created the way it was. If your organization had to rebuild this OT environment from scratch, what would that look like? Where would that configuration information come from? How much of the details are missing from documentation today? It will often quickly become apparent that neither party has a solid understanding of those details.
Vendor Relationship Status
Similarly, the team should get documentation together to establish all of the vendors installed within the environment, the Service Level Agreements, and the contractual restrictions that OT teams are working under to make the system function at optimal levels. Additionally, the team should be able to put down in writing who specifically at each vendor has remote access to the system and who is available to provide immediate help in the event of a cybersecurity incident.
Business Priorities
Ideally, the IT/OT team should also be making overtures to business stakeholders to discover the critical business missions that OT support, which will help prioritize the security roadmap and operations in the near- and long-term future. It is essential to have competent IT and OT people working together who have a keen understanding of the language and a core passion for the mission they are responsible for to appropriately advise the business.
Visibility Gaps
Finally, together the collaborative team should start figuring out where their most significant visibility gaps lie when it comes to identifying threats operating within their systems. Perhaps a cybersecurity skills gap exists. By leveraging the IT team to create more experts in-house and developing some cybersecurity champions within the ICS environment, that gap is reduced over time.
It is essential to understand that this process is an endless journey; IT and OT should consistently help each other with their respective education and visibility gaps concerning the most prevalent threats targeting their organizational environments. The ultimate goal for any organization is to effectively leverage their people, processes, and technology to reduce the risk to the stakeholders' acceptable level adequately. What people, process, and technology are selected will differ from IT to OT, and that is okay, because their mission, systems, threats, and impacts are different.
When establishing a baseline for these three resource requirements, ensure that in the end, they are well-suited to support the various networks, systems, applications (protocols), and have the appropriate context to be effective. For example, it is unfair to expect a single person to possess a competent level of skill in cybersecurity, engineering, automation, and IT, and the same can be applied to processes and technology as well. Finding the appropriate balance and structure within those resources will help everyone put their heads together to start prioritizing the most relevant risks to the business and adequately supporting the OT environment.
Interested in reading more articles like this? Subscribe to the ISAGCA blog and receive weekly emails with links to the latest thought leadership, tips, research, and other insights from automation cybersecurity leaders.
